AUTH TLS + FEAT

I ran across a vulnerability a little while ago that was rather interesting. FTP/FTPS has a "FEAT" or Features command that can be passed to the server in order to find out what features are available. But with FTPS this should only work "After" you are authenticated.

Nessus reported the issue but gave the following output for steps to duplicate:

Nessus sent the following two commands in a single packet :

AUTH TLS\r\nFEAT\r\n

And the server sent the following two responses :

234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
211 END

Now, I may not be the smartest person when it comes to telnet but I am pretty sure you are not able to pass '\r\n' into a telnet session. After making a few attempts my suspicions were confirmed and I was left wondering what it was I needed to do to get the command to execute properly.

I turned to google for help and found a forum that answered my question: control character for 'return'/'enter' = ^J. By using ^J I was able to insert a 'return' but not have the return executed until after I physically hit the return button when I was done with the commands I wanted to execute.

testing:~ hyrum$ telnet www.testsite.com 21
Trying 1.2.3.4...
Connected to www.testsite.com.
Escape character is '^]'.
220 Microsoft FTP Service
AUTH TLS^JFEAT
234 AUTH command ok. Expecting TLS Negotiation.
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
211 END

By inserting ^J after the 'AUTH TLS' it was possible to add the FEAT command which according to the rftc (rfc4217) if you pass the FEAT command to the server the server must respond with the available features:

"If a server supports the FEAT command, then it MUST advertise supported AUTH, PBSZ, and PROT commands in the reply, as described in section 3.2 of [RFC-2389]."

It ended up being that simple. Control Characters really do come in handy sometimes. So, the next time you want to pass two commands while in a telnet session don't forget about ^J.

Debian - Openbox Install

This last week I was trying to install openbox on a fresh install of Debian but ran into issues after running

$ apt-get install openbox

Doing a google search gave me several links of people suggesting that I compile openbox from source and that it is the only way to get it installed. After a little more research and help from Mike (thanks mike) I ended up doing the following:

$ apt-get install slim
$ apt-get install openbox menu

Did I really need to do two apt-get's? No, but I wanted to make sure that slim really was installed before moving on.

So, the first apt-get is to install slim which is a "graphical login manager for X11" (aptitude show slim).

The second apt-get is to install openbox itself and menu which is a "Debian menu [that] keeps transparently the menus in the different window-managers in sync with the list of installed programs." (aptitude show menu)

That is all you should have to install. Once you have installed these three items reboot the system and you should be presented with a login window. When you go to log in you will want to click on session and choose openbox, you should only have to do this once.

If you thought this was at all helpful please post a comment and let me know.